Following today’s meeting of the Justice Ministers Council in Luxembourg where an agreement was reached on the proposal for a General Data Protection Regulation (GDPR), EDRi and Privacy International would like to present the following statement:

In January 2012, the European Commission, following extensive consultations, published a draft Regulation. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU (proposing a single Regulation rather than a Directive that is implemented via 28 national laws) and maintaining existing levels of protection. A stated purpose was also to enhance individuals’ rights and put them more in control of their personal information, and make enforcement more effective – both are major failures of the current legislation

The objective of modernisation has not been achieved. Key elements of modernisation have been weakened to the point of meaninglessness. Rules on data breaches, privacy by design and, especially profiling, are far too weak and unclear.

Harmonisation has become a parody of its original intentions. The existing Directive consists of 34 articles. The Council’s position has 48 exceptions where Member States can do what they want, not including the broadening of the list of exceptions provided for in Article 21. In fact, Article 21 has broadened government powers so much that they can effectively run a coach and horses through all the rights and protection in this piece of legislation and render it null and void.

The objective of maintaining the levels in the 1995 Directive has not been achieved, inter alia for the reasons below. The European Commission had previously said that, as an absolute red line, standards would not be allowed to slip.

“This agreement is quite simply a brazen effort to destroy Europe’s world leading approach to data protection and privacy,” said Joe McNamee, Executive Director of European Digital Rights. “The Council position is a mixture of reckless disregard for citizens’ fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive.”

Equally, citizens and consumers will lose effective control of their personal data as a result of this legislation; and continuing illegal activity by businesses will remain unpunished.

“If the purpose of this reform was to strengthen people’s control over their personal information and improve enforcement, our governments have achieved the exact opposite,” added Anna Fielder, Board Chair of Privacy International. “The Council revisions to the draft data protection Regulations have done their best to disembowel some of the fundamental principles and further disempower individuals and their representatives by weakening rights. Moreover, any notion of harmonised, predictable rules across the Union have gone out of the window; in over a quarter of all the articles of this Regulation individual governments can develop their own rules.”

KEY ELEMENTS OF THE AGREEMENT

The proposal undermines purpose limitation:
The current text of the GDPR allows for the further processing of personal data “for archiving purposes in the public interest or scientific, statistical or historical purposes.” However, it is unclear what those statistical and scientific purposes are. Any large company that makes profit out of exploiting personal data could claim to be processing data for scientific purposes. This loophole is broadened further still by the new and controversial text of Article 6.4: “Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.”

The proposal moves from data minimization to “non-excessive” data processing:
The proposed Article 5(c) removes the obligation to keep processing to a minimum and weakens it to “non-excessive” processing. The Council amendment removes the obligation that the data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”. This provides room for data controllers to process more data than necessary.

The grounds for processing are increasingly vague:
The “legitimate interest” justification for data processing without consent is the vaguest ground for processing, offering a lot of scope for industry to process data if they can claim a “legitimate interest” in doing so.

Weaker redress and enforcement provisions:
Under the Council version, organisations defending citizen and consumer interests can no longer complain to authorities or take judicial actions on behalf of many individuals whose privacy rights have been breached. Data protection authorities do not have the resources to investigate every individual complaint and people to not take individual legal actions, particularly for privacy breaches that are not visible. Without this collective redress right, effective enforcement will continue to be weak.

Data transfers outside the EU: privacy regulation privatised or handed to unaccountable public bodies:
The Regulation opens the gates to a massive Trojan horse in these provisions, by specifically amending the articles that refer to privacy seals/trust-marks (called “certification mechanisms”) and to codes of conduct. Privacy seals and codes of conduct can be useful in providing guidance to specific sectors and providing extra information to individuals using a service. But they cannot be a guarantee of adequate privacy protections in a country where privacy enforcement is weak, particularly if the envisaged systems of monitoring and oversight are delegated to some private body. Furthermore public authorities and bodies can transfer personal information at will to public bodies outside the EU without any reference to data protection authorities or need for cooperation across the EU (the so-called consistency mechanism).

Serious implications for people’s health and human rights:
The Council proposals would allow further processing of health data, including genetic data on a massive scale; indefinite retention of health data including genetic data such as whole genomes without people’s knowledge or consent; and sharing of this data with third parties, including companies such as Google, without people’s knowledge or consent, usually with names stripped off (pseudo-anonymised) but in a way which allows results to be reconnected to individuals later on, or combined with other data sets (e.g. social care,education).

European Digital Rights (EDRi) is a not-for-profit association of 33 digital civil rights organisations from 19 European countries. Our objectives are to promote, protect and uphold civil rights in the field of information and communication technology.

Privacy International is a registered UK charity, defending privacy as a human right and advocating for strong laws that protect privacy round the world; it is celebrating its 25th anniversary this year.